'[openssl.org #2534] Hardcoded MIN_LEN prevents using VALID passphrase from stdin'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-dev
Subject:    [openssl.org #2534] Hardcoded MIN_LEN prevents using VALID passphrase from stdin
From:       "Scott Schaefer via RT" <rt () openssl ! org>
Date:       2011-05-27 7:38:25
Message-ID: rt-3.4.5-21058-1306481905-1083.2534-21-0 () openssl ! org
[Download RAW message or body]

Affects OpenSSL since at least v 0.9.8g.
Originally reported as Debian Bug # 533365
Problem Cause: Hardcoded "MIN_LEN=4" in source file crypto/pem/pem_lib.c

One can generate keys with 'too short' passphrase; e.g.

$ openssl genrsa -des3 -passout pass:1 -out mykey.pem 1024
or, alternatively:
$ echo 1>  psw
$ openssl genrsa -des3 -passout file:./psw -out mykey.pem 1024

One can then "use" the key, even for operations which require passphrasse; e.g.:
$ openssl rsa -passin pass:1 -in mykey.pem -out outkey.pem
or
$ openssl rsa -passin file:./psw  -in mykey.pem -out outkey.pem

However, a passphrase shorter with length<  4 cannot be entered from stdin:

$ openssl rsa -in mykey.pem -out outkey.pem
Enter pass phrase for mykey.pem:
17325:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:850:You must \
type in 4 to 8191 characters


-- Original Report -------
I have got an RSA key which is encrypted (Proc-Type: 4,ENCRYPTED) using a password of \
only one character. Unfortunately, OpenSSL is not able to remove the Password with \
the standard

openssl rsa -in my.key -out my.key.insecure

Error:
29913:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must \
type in 4 to 8191 characters

A forced check like this is questionable, and in the case of not generating, but just \
*using* (e.g. decrypting) a password it is totally unacceptable. OpenSSL renders my \
private key unusable.

Proposal for fixing this issue: remove password size/quality checks for decrypting \
operations.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majordomo@openssl.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic